Privacy Rights Clearinghouse
IMPORTANT: This fact sheet does not yet reflect new HIPAA regulations that went into effect in late January 2013. We will be updating our fact sheets as soon as possible. Please see:
[Also see our FAQ  on medical privacy.]
- HIPAA Privacy Rule: Benefits and Shortcomings
- Who Is Covered by HIPAA? Who Is Not Covered?
- Medical Information: What Does HIPAA Cover?
What Is "Protected Health Information?" What Is "Minimum Necessary?"
- Control of Your Medical Information: " Consent" and "Authorization"
- More About Your Right to Access Your Medical Records
- Your Health Records and Your Employer
- Your Health Records and the Government
- Your Health Information and Your Credit Report
- HIPAA and Your Daily Routine
- Complaints and Penalties for Violations
- The HIPAA Security Rule
- Electronic Health Records (EHRs)
- Electronic Health Records, and Privacy: The 2009 Stimulus Law -- the Health Information Technology for Economic and Clinical Health Act (HITECH)
- Health Information Privacy in California
- Tips for Safeguarding Your Medical Information
- References and Resources
Today you have more reason than ever to care about the privacy of your medical information. Intimate details you revealed in confidence to your doctor were once stored in locked file cabinets and on dusty shelves in the medical records department.
Now, sensitive information about your physical and mental health will almost certainly end up in data files. Your records may be seen by hundreds of strangers who work in health care, the insurance industry, and a host of businesses associated with medical organizations. What's worse, your private medical information is now a valuable commodity for marketers who want to sell you something.
The Health Insurance Portability and Accountability Act (HIPAA) was passed by Congress in 1996 to set a national standard for electronic transfers of health data. At the same time, Congress saw the need to address growing public concern about privacy and security of personal health data. The task of writing rules on privacy eventually fell to the U.S. Department of Health and Human Services (HHS). After several modifications, DHHS issued the HIPAA Privacy Rule.
The Privacy Rule was effective on April 14, 2003, for most health care providers, health plans, and health care clearinghouses. Small plans had until April 14, 2004 to comply.
If you expect HIPAA to restore your confidence that sensitive medical data is a matter between you and your doctor, you will be disappointed. HIPAA sets the standard for privacy in the electronic age where health industry, government, and public interests often prevail over the patient's desire for confidentiality.
This guide explains the complex provisions of HIPAA's Privacy Rule as well as recent measures to strengthen privacy and data security as the country moves closer to a system of electronic health records. It covers HIPAA's high points and low points regarding your health privacy. For more information on HIPAA and additional rules that are not explained here, go to the References section at the end of this guide.
What does HIPAA do? Is it good or bad?
The final version of the Privacy Rule includes both good and bad news for consumers. You may be surprised to see the new privacy "rights" in HIPAA were ones you always thought you had. The following provisions are HIPAA's "high points."
- HIPAA sets a national standard for accessing and handling medical information. Before HIPAA, your right to privacy of health information varied depending on what state you live in. Now, health care providers, health plans and other health care services that operate in all states have to abide by the minimum standards set by HIPAA.
Your state is free to adopt laws that give you more privacy, but it cannot take away the basic rights given by HIPAA. It is likely that your state has existing laws that in some way govern the privacy of medical records. Some states may pass new laws to incorporate or strengthen HIPAA.
To find out what the laws are in your state, visit the web site of the Health Privacy Project of Georgetown University see http://hpi.georgetown.edu/privacy/records.html , and select the section for State Law. Determining whether a state has a law that remains in force after the HIPAA Rule can be a challenging task, even for experienced lawyers.
- Access to your own medical records, prior to HIPAA, was not guaranteed by federal law. Only about half the states had laws requiring patients to be able to see and copy their own medical records. Now HIPAA gives everyone the right to see, copy, and request to amend their own medical records. You can be charged for copies of your records, but HIPAA sets limits on the fees. For more on access to your medical records, see Part 6  of this guide.
- Notice of privacy practices about how your medical information is used and disclosed must now be given to you. You should get a notice the first time you visit your doctor after the HIPAA Privacy Rule takes effect. The notice should also be available in the health care facility. It must tell you how to exercise your rights under the Rule. And the notice must explain how to file a complaint with your health care provider and with the HHS Office of Civil Rights.
- An accounting of disclosures of your health information is also required by HIPAA. You can find out who has accessed your health records for the prior six years, although there are several exceptions to the accounting requirement. For example, accounting is not required when records are disclosed to the many individuals who see your records for treatment, payment, and health care operations (TPO). Those involved in TPO do not need to be listed in the disclosure log.
- You can file a complaint with your health care provider and/or with the HHS if you believe a health care provider or health plan has violated your privacy. Go to Part 11  and the References  section at the end of this guide for more information on filing complaints.
- Special requests for confidential communications should be granted, if reasonable. You might prefer that telephone calls about your treatment be made to your home rather than your office. Or you might want notices like appointment reminders sent to a post office box instead of your home address.
- Staff training, the appointment of a privacy officer, and establishment of formal safeguards are some of the administrative requirements organizations must comply with under the HIPAA Privacy Rule. These requirements impose a focus on privacy that may have previously taken a back seat in the hectic, business-like atmosphere that often characterizes modern-day health care.
- You have a choice when it comes to having your name included in a hospital directory. You can also choose to have your medical information discussed with designated immediate family members, close friends, or relatives.
- Penalties, both civil and criminal, are authorized by the HIPAA Privacy Rule if the government brings a lawsuit for violations. The penalties, if imposed, could provide an incentive for compliance with the Privacy Rule. (See Part 11 .)
What are HIPAA's shortcomings?
Like it or not, you are not the only one with an interest in control of personal health information. The balancing act between your interests and those of other stakeholders is often tipped on the side of government, the medical profession, related businesses, and public interests. Consumer and patient advocates are critical of HIPAA for its numerous weaknesses.
Here are some of the ways that patients' rights to privacy come up short:
- Your consent to the use of your medical information is not required if it is used or disclosed for treatment, payment, or health care operations (TPO). In many situations such as emergencies, this makes perfect sense. You don't expect the ambulance driver to get your permission to call the hospital emergency room when you are having a heart attack. On the other hand, since your consent is not required for payment, your health care provider could submit a claim to your insurance company - even for a procedure you wanted to keep private and intended to pay for yourself. In addition, treatment, payment, and health care operations have broad definitions that encompass many activities that most people are not familiar with.
- Your past medical information may become available, even if you thought the information was long buried and would remain private. An event, treatment, or procedure from your distant past can be disclosed the same as information about current conditions. Of some comfort, old information is given the same protections under HIPAA as current information. In addition, HIPAA's "minimum necessary" rule applies to old as well as new records. This means that the amount of information disclosed should be limited to what is necessary to accomplish the purpose.
- Your private health information can be used for marketing and may be disclosed without your authorization to pharmaceutical companies or businesses looking to recall, repair or replace a product or medication. (For more on the marketing of your medical information see Part 5 below.)
- You have no right to sue under HIPAA for violations of your privacy. In other words, you do not have a "private right of action." Only the HHS or the U.S. Department of Justice has the authority to file an action for violations of the Privacy Rule. All you can do is complain to the one who violates your privacy or to the HHS. However, you may be able to sue under state law using the HIPAA Privacy Rule to establish the appropriate standard of care.
- Business associates of a covered entity can receive protected health information (PHI) without a patient's knowledge or consent. Before entering into an agreement with a business associate, a covered entity must receive assurance that information will be handled appropriately. After that, handling of sensitive data by business associates is left only to an honor system. Even when the limitations of the Privacy Rule are applied, many people can still see your medical records when carrying out the business of the plan or provider.
- Law enforcement access to protected health information under HIPAA is a significant concern of privacy and civil liberties advocates. Some disclosures may be made to law enforcement without a warrant or court order.
Business associates may include billing services, lawyers, accountants, data processors, software vendors, and more. Your doctor may, for example, disclose your health information to a business associate that processes medical bills. A written contract for this arrangement is required, but the doctor doesn't have to check to see that your information is being handled correctly. If there is a violation, the business associate is supposed to report it.
Is everyone involved in my heath care covered by HIPAA?
No. The HIPAA Privacy Rule pertains to three categories of "covered entities" - health care providers, health plans, and health care clearinghouses.
- Health care providers are covered if they transmit health information electronically. Even a doctor in a small practice who keeps only paper records will almost certainly use a billing service that transmits information electronically. In short, it is nearly impossible to provide health care today without using electronic means in some way.
As long as information is transmitted electronically, "health care provider" includes your doctors, hospitals, staff involved in your treatment, laboratories, pharmacists, dentists, and many others that provide medical, dental, and mental health care or treatment. In short, a provider is almost anyone in the business of providing health care who is licensed or regulated by the states.
- Health plan means almost anyone that pays for the cost of medical care. This includes: health insurance companies, HMOs (health maintenance organizations), group health plans sponsored by your employer, Medicare and Medicaid, and virtually any other company or arrangement that pays for your health care.
- Health care clearinghouses can be any number of organizations that work as a go-between for health care providers and health plans. An example of this would be a billing service that takes information from a doctor and puts it into a standard coded format. Patients rarely deal directly with clearinghouses.
An organization may also be what is called a hybrid entity. A hybrid entity provides health care as only part of its business. A large corporation that has a self-insured health plan for its employees is one example of a hybrid entity. Only the portion of the company that processes claims and makes payments to health care providers is subject to the HIPAA Privacy Rule.
Your medical information may be available to many who are not covered by HIPAA. Here are some examples of who is not covered.
- Life insurance companies.
- Workers Compensation.
- Agencies that deliver Social Security and welfare benefits.
- Automobile insurance plans that include health benefits.
- Internet self-help sites.
- Those who collect health data you give voluntarily for surveys or research projects.
- Those who conduct screenings at pharmacies, shopping centers, hometown fairs, or other public places for blood pressure, cholesterol, spinal alignment, and so on.
- Researchers who obtain health data directly from health care providers.
- Law enforcement agencies.
Even though these institutions are not covered by HIPAA, they may get information from a covered entity.
Is the Medical Information Bureau ( MIB Group, Inc.,MIB) a covered entity?
No, MIB is not a HIPAA "covered entity." It is, however, a business associate of its member health insurance companies. The MIB is a membership organization made up of insurance companies. Because the MIB is neither a health care provider, health care plan, nor health care clearinghouse, it is not a covered entity. Some of MIB's members underwrite life and disability insurance, functions that are not covered by HIPAA.
MIB's activities fall under another federal law, the Fair Credit Reporting Act (FCRA) because the company gathers information and issues reports about individuals to insurance companies. Two other companies that fall under the FCRA are Milliman, owner of the IntelliScript database, and Ingenix, Inc. owner of the MedPoint database. The IntelliScript and MedPoint databases gather information about a consumer's prescription drug history and issue reports to insurance companies.
- For more on MIB, see www.mib.com  and Privacy Rights Clearinghouse Fact Sheet 8, How Private Is My Medical Information?www.privacyrights.org/fs/fs8-med.htm .
- For more on MedPoint, see www.ingenix.com/ContactUs/ .
- For more on IntelliScript see www.rxhistories.com/how_it_works.html .
- To learn more about your rights regarding these "specialty report" providers in general, read our Fact Sheet 6b, at www.privacyrights.org/fs/fs6b-SpecReports.htm .
HIPAA covers any information about your past, present or future mental or physical health including information about payment for your care. To be covered by HIPAA, information has to be kept by a covered entity - a health care provider, health care plan, or health care clearinghouse. This, combined with some fact that identifies you (your name, address, telephone number, Social Security number) is called "protected health information" or PHI. PHI can be oral, handwritten, or entered into a computer. This means a conversation between a doctor and nurse about your condition has the same general protections as information written on your records.
Are my child's (K-12) records of visits to the school nurse covered by HIPAA?
No. Health records kept by schools are classified as "education records" covered by the Family Educational Rights and Privacy Act (FERPA). For more on FERPA and privacy of your child's education records, visit the US Department of Education web site, www.ed.gov/offices/OM /fpco/ferpa/index.html .
For more on health care records and education records, see joint guidance published by the U.S. Department of Education and Department of Health and Human Services in November 2008. www.hhs.gov/ocr/privacy/hipaa/understanding/coveredentities/hipaaferpajointguide.pdf 
Also see, PRC Fact Sheet 29, Privacy in Education: A Guide for Parents and Adult-Age Students, www.privacyrights.org/fs/fs29-education.htm .
Are results of genetic testing subject to HIPAA?
Yes, under certain circumstances. Keep in mind that HIPAA only applies to medical information collected and maintained by certain “covered entities,” that is healthcare providers, healthcare plans, and healthcare clearinghouses. Thus, for example, if your personal physician or group health insurer has on file certain information about your genetic history or the results of genetic tests, that information is protected by HIPAA like any other medical information.
In rules adopted under a 2008 federal law, the Genetic Information Nondiscrimination Act of 2008 (GINA), which prohibits employers and most health insurance plans from denying you employment or health benefits based on genetic information, HHS says that genetic information, like other health-related information, is subject to the privacy protections of HIPAA.
The interim final rule, adopted jointly by HHS and the U.S. Department of Labor and U.S. Treasury Department, can be found here: www.hhs.gov/ocr/privacy/hipaa/understanding/special/genetic/ginaifr.pdf 
In November 2010, the Equal Employment Opportunity Commission adopted a final GINA rule prohibiting employment discrimination  in genetic testing.
In other situations, however, HIPAA would not apply. Examples would include a situation where you order your own tests and receive results from a service that provides direct to consumer or DTC testing. For more on DTC and genetic testing, see PRC publication, Privacy Today: A Review of Current Issues at www.privacyrights.org/ar/Privacy-IssuesList.htm#dtc 
As another example, genetic and other medical information kept by your employer as part of your personnel file is not subject to HIPAA. For more on HIPAA and your employer, see Part 7 of this guide.
Are there any limits on what can be disclosed from my medical file?
The Privacy Rule incorporates what it calls a "minimum necessary" standard when it comes to how much information should be disclosed. Doctors, hospitals, and others covered by the HIPAA Privacy Rule are required to limit the amount of information disclosed to others to the minimum necessary to accomplish the intended purpose.
What amounts to the minimum is left up to the health care provider, not you. And, the minimum necessary rule does not apply to information disclosed in connection with treatment. It also doesn't apply if you authorize the disclosure of your health information.
For some purposes, information may be disclosed that has been “de-identified,” that is information that would identify an individual has been deleted from what would otherwise be “protected health information” or PHI. One example of “de-identified” information is when data is used for research purposes.
To learn more about de-identification see the HHS publication: Guidance Regarding Methods for De-identification of Protected Health Information in Accordance with the Health Insurance Portability and Accountability Act (HIPAA) Privacy Rule 
For more about HIPAA as it applies to research, see this HHS publication .
Your ability to control how your medical information is used falls generally into four different situations - along a continuum of no control to some control :
- There are situations where you have no right to consent.
- In some situations your authorization is not needed.
- In certain cases your authorization is needed.
- You have an opportunity to consent or object in a few situations.
The HIPAA Privacy Rule makes a distinction between your "consent" and your "authorization." An authorization must be given on a separate document that sets out details of the disclosure.
Consent, when required, is much less formal (discussed further below.) The HHS explains the difference between consent and authorization in the Question and Answer Section of the Agency's web site. To read the Agency's explanation, go to: http://www.hhs.gov/ocr/privacy/hipaa/faq/authorizations/264.html .
When can information be used without my consent?
Consent for use of your information is not the same as consent for treatment. The HIPAA Privacy Rule does not change the general requirement that a health care provider needs your consent before treating you.
A covered entity is allowed to seek your consent, and some state laws require patient consent for treatment, payment, and other disclosures. A covered entity is required to make a good faith effort to obtain your acknowledgment that you received a notice of privacy practices, but this is not the same as obtaining consent.
Your consent is not required when your medical information is used for treatment, payment, or for health care operations (TPO). But it goes much further than that. Your consent is not necessary when your information is used by a business associate of your health care provider or plan.
Services provided by a business associate can include: legal, actuarial, accounting, consulting, data aggregation, management, administrative, accreditation, and financial. These business relationships are established with a written contract. Your personal medical information can be used to carry on the business association, but you are not a party to the arrangement.
Does HIPAA allow a provider to contract with a foreign business associate?
HIPAA makes no distinction between a U.S. business associate and one based in a foreign country. Of late, outsourcing services that involve the transfer of personal data offshore have been the subject of many press reports. Legislation has been introduced in Congress and some state legislatures to at least give consumers notice when medical data is sent offshore. For many Americans, outsourcing is most troubling when the services provided by a foreign company entail the use of highly sensitive medical and financial information. However, to date, there are no legal restrictions on outsourcing medical-related services.
What does "health care operations" mean?
Health care operations are not the same as business associate arrangements. Use of your medical information for purposes of carrying out operations does not require a written contract. Here are just some of the things that fall under the broad heading of operations:
- Reviewing the competence of health care professionals.
- Training programs.
- Activities related to health care contracts.
- Business planning and development.
- Resolution of internal grievances.
- Sale, transfer, merger, or consolidation of the health care provider or plan.
- Medical services review, legal services, auditing, including fraud detection.
Will I ever know how many people have seen my medical information?
HIPAA requires safeguards to limit the number of people who have access to personal information. Given the number of people who may have access to your information just to run the operations and business of the health care provider or plan, there is no realistic way to count the number of people who may come across your records. If you are hospitalized, for example, hundreds of hospital employees may see your health information.
When you add to this the number of instances listed below in which your medical information can be disclosed without your authorization, the numbers can be staggering. For an idea of how extensive routine disclosures can be, read "Health Privacy: The Way We Live Now" by Robert Gellman, reprinted on the Privacy Rights Clearinghouse web site, www.privacyrights.org/ar/gellman-med.htm .
The HIPAA Privacy Rule carves out many exceptions to your ability to authorize release of your "protected health information," including details that identify you . As discussed earlier, you don't have the right to consent or object when your information is used for treatment, payment, or operations, including disclosures to business associates of your health care provider or plan. Each of these exceptions places conditions on the covered entity that makes the decision to disclose. But, you are out of the loop.
The flow of your medical information is beyond your control when the disclosure is made by a covered entity to or in connection with:
- Any disclosure required by federal, state, or local regulation, regardless of the scope of the disclosure or the purpose of the disclosure.
- Public health authorities.
- A person subject to the jurisdiction of the federal Food and Drug Administration.
- A person who may have been exposed to a communicable disease.
- An employer to (1) conduct workplace medical surveillance or (2) to evaluate whether you have a work-related illness or injury.
- Victims of abuse, neglect or domestic violence.
- A health oversight agency for audits and investigations.
- Court or administrative proceedings in response to a court order, subpoena, or discovery request.
- A collection agency for unpaid medical bills.
- Coroners and medical examiners.
- Funeral directors.
- Organ procurement organizations.
- A medical researcher with institutional review board approval.
- A threat to public safety or public health.
- U.S. and foreign military commanders.
- U.S. Department of Veterans Affairs to determine eligibility for benefits.
- Federal government national security and intelligence officials.
- U.S. Department of State to verify health fitness of employees and their families for foreign duty.
- Correctional institutions involved in health care of inmates.
- Workers compensation uses authorized by state law.
Further . . .
- Law enforcement access is authorized in a number of ways under HIPAA. In some cases information may be disclosed without a warrant or court order.
For more about disclosures in a law enforcement context, see http://www.hhs.gov/ocr/privacy/hipaa/faq/disclosures_for_law_enforcement_purposes/index.html 
On January 15, 2013 , HHS issued an open letter to healthcare providers making it clear that the HIPAA privacy rule does not prevent disclosure when a patient presents a danger to himself or other people. Discloure may be made to, for example, familiy members, law enforcement, school administrators, and campus police.
Obviously, many of the disclosures listed above are made for the public good. Some disclosures are required by law. Who could argue, for example, with the need to alert public health officials to an outbreak of a deadly disease. And there is without a doubt a strong public interest in mandatory reporting of suspected child abuse.
Each one of the disclosures listed above that can be made without the authorization of the subject carries with it a set of conditions. For a complete list of those conditions, you may want to look at §164.512 the Privacy Rule itself, http://edocket.access.gpo.gov/cfr_2002/octqtr/45cfr164.512.htm 
Is my authorization ever required before my information can be disclosed?
HIPAA requires your specific authorization unless disclosure is not otherwise allowed. Special authorization requirements apply (1) when the disclosure involves psychotherapy notes and (2) when the disclosure is made for marketing.
The Privacy Rule explains the procedure that must be followed to get your authorization. It states that you should not be denied treatment because you decide not to sign the authorization.
Psychotherapy notes should not be disclosed to others without your authorization. Again, there are built-in exceptions if the notes are used for such purposes as training staff or to defend the doctor or health plan in court.
Marketing, or when someone tries to sell you something based on your health information, is allowed if you give your authorization. But, there's often a fine line between marketing that requires your consent and marketing that does not.
Following are some examples from the HHS web site of what is and is not considered marketing under the Privacy Rule:
Examples of marketing communications requiring prior authorization:
1. A communication from a hospital informing former patients about a cardiac facility, that is not part of the hospital, that can provide a baseline EKG for $39, when the communication is not for the purpose of providing treatment advice.
2. A communication from a health insurer promoting a home and casualty insurance product offered by the same company.
It is not marketing and no authorization from you is required when:
1. A hospital uses its patient list to announce the arrival of a new specialty group (for example, orthopedic) or the acquisition of new equipment (like a magnetic resonance image machine) through a general mailing or publication.
2. A health plan sends a mailing to subscribers approaching Medicare-eligible age with materials describing its Medicare supplemental plan and an application form.
The term "marketing" is one area that is likely to be debated by state legislators given states' authority to expand HIPAA privacy protections.
Can I be denied treatment or coverage if I don't give my authorization?
No. Treatment or health care coverage cannot be denied because you don't sign an authorization. Again, there are exceptions. If the authorization is for research-related treatment, you may not be allowed to participate in the research program without giving authorization to disclose your information. If authorization is requested from a health plan prior to the time you enroll and you refuse to give your authorization, you may not be allowed to enroll.
Can I revoke my authorization?
Yes, if you do so in writing and before any action is taken based on your authorization.
Does a hospital need my authorization to include me in a directory?
We explained above about two opportunities to authorize release of your personal data - psychotherapy notes and certain marketing situations. Another situation is created under HIPAA for "directory" information. Although your written authorization is not required as it is for marketing and psychotherapy notes, whether you are included in a hospital directory requires your consent. Again, note the HHS explanation of the difference between consent and authorization. http://www.hhs.gov/hipaafaq/use/264.html .
That situation typically arises when you are admitted to the hospital. Hospitals routinely maintain directories, and inquiries are often made about a patient from a member of the clergy, the news media, family, and friends. If you are not in the directory, the hospital will not be able to tell visitors you are there, route phone calls, deliver flowers, and so on.
Situations in which individuals are likely to want to limit the disclosure of directory information include: victims of domestic violence or stalking who need to safeguard their location, celebrities and other public officials who want their hospital stay kept private, and individuals who for whatever reason want to limit others' knowledge of their health condition. Under the HIPAA Privacy Rule, you must be given an opportunity to either agree or disagree to the disclosure of your directory information.
When can I agree or disagree to having "directory" information about me disclosed?
You should be given this choice as part of the admission procedure. The directory could include information about your location within the facility, your religious affiliation (disclosed to members of the clergy only), and your condition. An agreement to be included in a hospital directory may be made orally or in writing. You can restrict the kinds of information to be disclosed and to whom it is disclosed. In case of an emergency or another situation where you are not able to give your consent, your health care provider may use his or her professional judgment. In that case, you should be consulted later when you are able to make an informed choice.
- For more on hospital directories, see A Patient’s Guide to HIPAA by the World Privacy Forum, www.worldprivacyforum.org/hipaa/HipaaGuide58.html 
- Also see the HHS website for answers to specific questions about facility directories. http://www.hhs.gov/ocr/privacy/hipaa/faq/facility_directories/index.html 
Can I give consent or authorization for someone else?
Yes, in some circumstances. The HIPAA Privacy Rule includes information on when you can act for another person or when someone can act for you. This might include times when you have a power of attorney, when you are the parent of a minor child or mentally retarded adult, or when you or someone else is acting in an emergency. For more on this, see the section on References below and the HHS website for the publication entitled "Personal Representatives," www.hhs.gov/ocr/privacy/hipaa/understanding/coveredentities/personalrepresentatives.pdf 
What documents will I have to sign?
The Privacy Rule includes only one situation where the consumer has to sign a document. As discussed above, a patient must sign an authorization form before health information can be disclosed for marketing or when psychotherapy notes are involved.
A signed acknowledgement means only that the consumer/patient was given a copy of a privacy notice. It does not mean (and should never state) that the consumer agrees with the policy. If the patient does not sign the acknowledgement, the covered entity is supposed to document the "good faith" effort. We have learned of instances where a covered entity has refused to provide services if the patient refuses to sign an acknowledgement. The Privacy Rule does not give the healthcare nstitution the right to deny service to a patient who refuses to sign a document acknowledging that they received a copy of the notice.
Your ability to see your own medical records is probably the single most important right you have under HIPAA. Before HIPAA, your right to see or copy your medical records often depended on your state laws. Now, HIPAA sets the national standard, or ìfloor,î meaning that states can give you greater rights to access your medical information, but state laws cannot take away the fundamental access rights you have under HIPAA.
Does HIPAA allow me to get my original records?
No. HIPAA only gives you the right to get copies of your records. Or, if you choose, you can ask to see your medical records or ask for a summary of your medical file.
Do I have to submit a written request for my medical records?
Even if your doctor does not require a written request, it is always a good idea to put your request in writing. That way, you have a record of important details such as when you filed your request and the record you requested. For a sample letter to request a copy of your medical records, see www.privacyrights.org/Letters/medical2.htm .
When will I get my records?
Usually, you should get your copies within 30 days of the request. Under HIPAA, if the process takes more than 30 days, you must be given a reason. Your state law may give you the right to receive your records more quickly. In California, for example, you should be able to see your medical records within 5 days and get a copy within 15 days. For more on your rights to access under state laws, see http://hpi.georgetown.edu/privacy/records.html .
Do I have to pay for copies of my medical records?
Probably, yes. HIPAA says you can be charged a "reasonable, cost-based fee." This means you can be charged for supplies and staff time for copying your records. You can also be charged for mailing records, if mailing is what you request. But, you should not be charged for time spent searching for your records. Nor, should a provider have a policy of charging all patients a flat fee.
Do I have to pay for a summary of my medical file?
Yes, but you must agree to the fee in advance.
Can I be denied access to my medical records?
Yes, in a few circumstances. For example, you cannot access psychotherapy notes or information compiled for lawsuits. Your request can also be denied if the provider decides the information you want could reasonably endanger your life, your physical safety or that of another person. A written denial letter is usually required. In some cases, you can appeal a denial. If so, you should be given instructions on how to appeal in the written denial.
Does HIPAA say medical records must be kept for a certain time?
HIPAA does not include a record retention period. It does, however, allow you to request an accounting or report of who has accessed your records. This covers the six years prior to the date you request the accounting.
Although HIPAA does not require that medical records be kept for a set time, many states have such laws. Federal law and regulations are have retention requirements for some records. To learn more about retention and records destruction see, following American Health Information Management Association (AHIMA) publication: Retention and Destruction of Health Information .
How do I correct inaccurate information in my medical records?
You can ask for a correction of inaccurate information. You should make your request in writing. You should receive a written answer within 60 days. If your correction request is denied, you can note your disagreement in your file.
My physician is no longer in practice. How do I find my records?
The American Health Information Management Association, www.ahima.org , offers the following advice on how to locate records when your physician is no longer in practice:
Even if your physician moved, retired, or died, his or her estate has an obligation to retain your records, including immunization records, for a period defined by federal and state law. Often this retention period is 10 years following your last visit (or until a child/patient is 21). You may be able to locate your records by contacting:
- Your physician's partners
- The health information manager at a nearby hospital where the physician practiced
- The local medical society
- The state medical association
- The state department of health
Since I am caring for my elderly parents, may I request their medical records?
Generally, permission to access another person's medical records must come from the patient. The patient may designate a friend or relative to receive information related to care and treatment. Permission should be given in writing and filed with the care provider or facility. If the patient is incapacitated, you or another person may be appointed legal guardian by a court. Then, the legal guardian decides who has access to the patient's medical records.
Is it possible to access medical records of a person who is deceased?
HIPAA speaks of two instances that allow access to a deceased's medical files. One, the personal representative designated by a will or appointed by a court to settle the deceased's affairs may gain access to medical files. Second, a relative may receive medical information about the deceased if the information has a bearing on the relative's health.
Do I have the right to see my child's medical records?
Generally, yes. However, there are some exceptions:
- When the minor is the one who consents to care and the consent of the parent is not required under State or other applicable law.
- When the minor obtains care at the direction of a court or a person appointed by the court.
- When, and to the extent that, the parent agrees that the minor and the health care provider may have a confidential relationship.
Additional information about a minor child's health records can be found on the HHS web site at www.hhs.gov/hipaafaq/personal/227.html .
The Guttmacher Institute has a guide to state laws, "Minors and the Right to Consent to Health Care" available at www.guttmacher.org/pubs/tgr/03/4/gr030404.html 
For many people, the ultimate worry is that an employer's access to information about health and treatment or even the possibility of future illness can affect employment. The way and extent to which the HIPAA Privacy Rule covers your health information in the workplace depends on the type of health coverage you have. The majority of people in the workforce who have health benefits associated with employment fall into one of two categories:
- Group health plans are covered by the HIPAA Privacy Rule as long as the plan has 50 or more participants. If you are a member of a group health plan, your employer pays a premium to the health plan organization to cover your health care costs. In return for the premium paid, the health care plan assumes the risk of paying for health care expenses covered by the plan. The HIPAA Privacy Rule applies to the plan itself, but not your employer.
- Self-insured plans are health plans often offered by large employers as an employee benefit. Under self-insured health plans, the employer itself assumes the risk of health care costs and has the responsibility for paying heath care claims out of the company's operating funds. Claims may be processed by company personnel or contracted out to other companies that process and maintain the records.
My employer sponsors a group health plan? Can my boss see my medical claims?
HIPAA says that the group health plan can tell your employer whether you are enrolled in the plan or not. Your employer can also get from the group plan what is called "summary" information to use to obtain premium bids or changes in coverage. If the health information your employer receives goes beyond the basic summary, then HIPAA requires the employer to establish procedures much like that of a covered entity. HIPAA attempts to limit the use of medical information for employment purposes.
My employer is self-insured. Does HIPAA guarantee my privacy?
Under the HIPAA Privacy Rule, an employer that is also the insurer of health benefits is in a category called a "hybrid" entity. That means the portion of the company's operations that deal with processing health claims is a covered entity. Like any other covered entity, a "hybrid" function must (1) give notice of written privacy procedures, (2) place restrictions on the use of health information, and (3) appoint a privacy officer and train staff.
If you are the least bit concerned about the privacy of your medical information, the close relationship between your boss and the person who processes your health claims can send a chill down your spine.
It's Helen in personnel who's looking at all the forms, and knows whether you're seeing a psychiatrist, you just had your tubes tied, or you've just been diagnosed with cancer," quoting the chairman of the University of Massachusetts Medical School Psychiatry Department in National Journal, "Open Secrets," (Oct 9, 1999) at p.2880.
HIPAA requires that "hybrid" entities such as self-insured employers erect "firewalls" between the portion of the company that handles the health claims and the portion that does not. However, the effectiveness of this procedure remains to be seen.
My employer has an on-site health clinic. Is that covered by HIPAA?
An on-site health clinic at your place of employment may be another example of what the HIPAA Privacy Rule calls a "hybrid" entity. This depends on whether the health clinic transmits information electronically and engages in standard transactions under HIPAA's electronic data interchange rule, for example, if the clinic bills an employee's health plan. If so, the records maintained by the health clinic are subject to the same protections that apply to other covered entities.
Are all records related to my employment and my health subject to HIPAA?
No. Records that relate to other employee benefits such as life insurance, disability, workers compensation, or long-term care insurance are not covered by HIPAA. Nor are records that relate to your employer's compliance with laws that govern safety and health risks in the workplace.
To learn more about health records and the workplace, see the HHS publication entitled Employers and Health Information in the Workplace, www.hhs.gov/ocr/privacy/hipaa/understanding/consumers/employers.html .
I work in a hospital. Is my employment file covered by HIPAA?
No. The Privacy Rule applies only to records maintained for treatment of patients. Records in your employment file are not covered.
Can my employer require me to disclose my family medical history or to submit to genetic testing?
No. Under a 2008 law, the Generic Information Nondiscrimination Act (GINA), an employer may not request, require, or purchase genetic information about you. If, like many people, you have health insurance through your employer’s group health or self-insured plan, GINA also prohibits your insurer from requesting, requiring, or purchasing genetic information. Further, the insurer cannot use genetic information to adjust your premiums or the premiums of your group plan.
For more on GINA and what employers and insurers can and cannot do, see the website for the organization Council for Responsible Genetics at: www.councilforresponsiblegenetics.org/geneticprivacy/index.html 
There are many situations when the government has the right or the legal obligation to see your medical records. State agencies must keep records of births and deaths as well as registries of people who have been diagnosed with serious illnesses such as cancer or HIV. Typically, disclosures to the government do not require your authorization. (See Section 4 for some examples of when government officials can see your medical records.)
Many government-sponsored health programs such as those covering the military, veterans, and government employees are covered by the Privacy Rule. When personally identifiable health information is collected by the government, the federal Privacy Act also applies.
HHS, a federal government agency, may have access to your health records in connection with an investigation. The agency's Office of Civil Rights (OCR) reviews complaints about privacy violations. You might complain to the OCR, for example, that your HMO refused to give you a copy of your medical records. Then, OCR could request a copy of your records from your HMO as part of its investigation.
Does HIPAA create a government database of medical information?
Following is quoted from the HHS web site on the subject of medical databases:
Does the HIPAA Privacy Rule require my doctor to send my medical records to the government?
Answer: No. The Rule does not require a physician or any other covered entity covered entity to send medical information to the government for a government data base or similar operation. This Rule does not require or allow any new government access to medical information, with one exception: the Rule does give the Department of Health and Human Services Office for Civil Rights (OCR) the authority to investigate complaints that Privacy Rule protections or rights have been violated, and otherwise to ensure that covered entities comply with the Rule.
To see the full answer to this question, go to: www.hhs.gov/ocr/privacy/hipaa/faq/disclosures_for_law_enforcement_purposes/347.html
Can my information be disclosed to a credit bureau?
Yes. When you put on that faded cotton gown and sit on the examining table, you are the patient. But, your role could change to many other things, including that of debtor. You visit your doctor and pay for health insurance premiums so that you are assured of care in an emergency or in case of an illness. But, your relationship is also a business arrangement.
You are obligated to pay for any costs not covered by your health insurance. Remember : Your consent is not required to disclose information from your medical files if it is made in connection with payment.
An unpaid bill, like any other debt claimed to be owed, may be reported to a credit bureau. What's more, an unpaid medical bill can appear as a negative entry on your credit report. Information that can be disclosed to a credit bureau about you includes:
- Your name and address
- Date of birth
- Social Security number
- Payment history
- Account number
- Name and address of the health care provider or health plan that says you owe the money.
A 2003 study by the Federal Reserve found that over half of all collections noted on credit reports were for unpaid medical bills, www.federalreserve.gov/pubs/bulletin/2003/0203lead.pdf .
May a doctor or hospital give information about me to a collection agency?
Yes. HHS says debt collection is a payment activity under HIPAA. Health care providers may entered into a business associate agreement with a collector. The “covered entity” may disclose information required to collect the debt but must also follow the “minimum necessary” standard that applies to all disclosures under HIPAA.
For more on HIPAA and debt collectors, visit the HHS Frequently Asked Questions Page, www.hhs.gov/ocr/office/faq/index.html , and enter the phrase “collection agency.”
Can I dispute a medical bill?
Unfortunately, the federal law that enables consumers to dispute billing errors does not apply to medical bills. The Fair Credit Billing Act only applies to credit card accounts and revolving charge accounts. But that does not mean that you cannot dispute billing errors.
The medical billing and insurance claims processes can be complicated and confusing. Be sure to stay on top of your medical bills and dispute matters in writing with both the health provider and insurance company when you think errors have been made. Try to get the matter resolved before the debt is reported to a collection agency and/or to the credit reporting agencies (Experian, Equifax, TransUnion).
If a medical debt is reported to a collection agency, you have rights given by credit and collection laws. Federal laws are the Fair Credit Reporting Act and the Fair Debt Collection Practices Act. State laws might also apply.
For more information about your rights under these consumer protection laws:
- Visit the Federal Trade Commission's web site at www.ftc.gov .
- Read Privacy Rights Clearinghouse Fact Sheet 6, How Private Is My Credit Report?www.privacyrights.org/fs/fs6-crdt.htm .
- Read Fact Sheet 27, Debt Collection Practices: When Hardball Tactics Go Too Far, www.privacyrights.org/fs/fs27-debtcoll.htm 
Can an overdue medical bill appear on my credit report?
Yes. Unfortunately, even astronomical debt that stems from life-saving procedures is treated like any other debt. If neither you nor your insurer pay for the care, a medical debt can appear on your credit report. Not too long ago, a delinquent medical debt listed on your credit report might reveal not only the amount of the debt, but also the identity of the medical creditor. Needless to say, such a practice could reveal the nature of your illness or treatment as well.
Now, thanks to changes in the Fair Credit Reporting Act, your credit report cannot reveal the name, address, or telephone number of a medical creditor—unless the information is in code. For more on the medical privacy changes adopted under the Fair and Accurate Credit Reporting Act (FACTA), see PRC Fact Sheet 6a, FACTA, The Fair and Accurate Credit Transactions Act: Consumers Win Some, Lose Some, www.privacyrights.org/fs/fs6a-facta.htm#7  .
Can my health care provider check my credit report and credit score?
If you owe money for unpaid medical bills, the provider or the provider’s debt collector, like any other creditor, can check your credit report. From this the provider or collector might learn, for example, that you have the ability to pay from untapped lines of credit on your home equity loan or credit card. And, like any other creditor, a health provider could report an overdue account to your credit report.
A provider might also check your credit report if you are applying for free or discounted medical services. Again, based on information in your credit report, the provider might decide that you are not entitled to free or discounted services because you have assets or available credit.
I read a news article about medical "scores." What is that?
News articles in early 2008 reported on the development of a medical scoring system that would rate your risk of not paying a medical bill. Under this scheme, your risk analysis would be based on your past payment history of medical bills. Such systems, dubbed “MedFICO” and sometimes called a “wallet biopsy,” should not stop you from getting treatment in an emergency situation. If ever widely used, however, such medical scoring systems could force patients to exhaust all resources, such as retirement accounts or home equity credit lines to pay for needed health care.
Widespread use of a medical scoring system could also create significantly more trouble for victims of medical identity theft. This type of identity theft occurs when someone uses your identifying information to receive health care or for the payment of insurance benefits for the payment of health care. For more on medical identity theft, see the World Privacy Forum’s Identity Theft Information Page, at www.worldprivacyforum.org/medicalidentitytheft.html .
When I pay a medical debt, will this still appear on my credit report?
A medical debt, like any other debt, can appear on your credit report for seven years, even after you have paid off or settled the debt. A bill (H.R. 3421) was introduced in Congress in 2010 that would have provided some relief for the millions of Americans whose credit scores have suffered from medical debt. However, H.R. 3421, captioned the Medical Debt Relief Act, did not become law. Had it done so, it would have prohibited credit bureaus from including paid off or settled medical debt in an individual's credit report.
H.R. 3421 can be found here: http://xa.yimg.com/kq/groups/1654098/650654603/name/Medical%20Debt%20Relief%20Act.pdf 
10. HIPAA and Your Daily Routine
HIPAA touches nearly every aspect of modern medicine. Privacy in the hotly debated issues of medical research and genetic testing are beyond the scope of this guide. For more information on these topics, see the HHS web site and the References Section at the end of this guide.
But HIPAA also touches on privacy in small ways like routine office visits, prescription refills, and messages left on voice mail systems. This is a partial list of day-to-day situations where HIPAA comes into play:
- You can make a special request to be called for appointment reminders or to discuss your treatment at a certain telephone number.
- Your health care provider should be careful to keep information left on patients' voice mail systems to a minimum.
- Medical records can be faxed from one doctor to another.
- Someone else can pick up your prescription with your permission.
- Your doctor can prescribe medication without a face-to-face visit.
- The pharmacists can talk to you over the counter about your medication, but must take care that others near you do not hear the conversation.
- Medical files can be left outside the examining room, but should be turned facing the wall.
To find out what HHS has to say about routine situations, conduct your own keyword search of the agency’s Frequently Asked Questions Section at: www.hhs.gov/ocr/privacy/hipaa/faq/index.html .
Will HIPAA stop gossip?
Rumors and gossip about medical conditions or treatment are a concern to many people. This is particularly true in small communities where neighbors, friends, and former in-laws might work at the only hospital in town. Under HIPAA, access to sensitive medical information should be limited to those who have a need to know. However, no system can ever stop gossip. If you find that any of your sensitive medical information is disclosed through the grapevine, you should not hesitate to report it to the health care service and file a complaint with the HHS.
Health care providers must pay attention to accidental disclosures through routine conversation. A doctor, nurse, or technician may violate the HIPAA Rule simply by saying to a third party that they saw a particular individual at the clinic last week. That statement discloses that the individual is a patient who sought care, and both of those facts are "protected health information" (PHI) under HIPAA. The disclosure might be particularly sensitive if the physician is a psychiatrist, but the same policy applies to family practitioners, pharmacists, and dental hygienists too.
Is anything being done to stop snooping?
Yes, at least in California. You may have read about hospital employees who accessed celebrity medical records in Los Angeles and then sold that information to the tabloids. While you may not be a celebrity whose information is of interest to the tabloids, such lax security puts everyone’s health information at risk.
Actions like those that made headlines would no doubt be a violation of HIPAA. However, you, as the patient, would have little recourse except to file a complaint with HHS. In contrast, under recent California law, one who unlawfully uses, discloses or accesses medical information can be fined $2,500 for the first violation and up to $25,000 for third and subsequent violations. And, willful disclosure of medical information for the “purpose of financial gain” is a misdemeanor that can bring up to a $250,000 fine. Also, unlike HIPAA, the California law gives individuals the right to sue for both actual and punitive damages.
To learn more about your rights to health information privacy in California, see the web site for the California Office of Health Information Integrity, Frequently Asked Questions .
Also see Part 15 of this guide.
You don’t have the right to sue under HIPAA. The most you can do is file a complaint. The privacy notice you receive from your health care provider or plan is required to tell you how to file a complaint within the organization. Every HIPAA covered entity must have a designated privacy officer. The notice should also tell you how to contact the HHS Office of Civil Rights. This is the government office charged with enforcing the Privacy Rule.
We recommend you start your complaint process by first contacting the health care provider’s designated privacy officer. By doing so, you not only create documentation of your complaint but also show you have made a good faith effort to resolve the problem yourself. If you encounter problems or your complaint is ignored, however, you should proceed with your HHS complaint. Although government agencies cannot represent you personally, it is often consumer complaints that alert agencies to violations of laws they are charged with enforcing.
You must file your complaint with HHS within 180 days of the violation, but HHS can extend that time. HIPAA says you cannot be denied treatment because you file a complaint.
Even though the HIPAA Privacy Rule does not give you the right to sue, other federal or state laws or regulations might give you the right to bring an action in court for violations of your privacy. If you feel your rights have been violated, you may want to discuss the situation with an attorney.
The 2009 economic Stimulus Law includes several provisions intended to step up enforcement of HIPAA. For example:
- Business associates, that is individuals or companies that do work for HIPAA covered entities, can be held accountable for HIPAA violations.
- Individuals, as well as covered entities, can face criminal penalties.
- HHS is required to investigate HIPAA violations due to “willful neglect.”
- HHS must conducted periodic audits.
- State attorneys general can bring an action in federal court for HIPAA violations.
For more on health privacy provisions of the 2009 Stimulus Law, see World Privacy Forum’s analysis of the American Recovery and Reinvestment Act of 2009, http://bobgellman.com/rg-docs/Stimulus-Privacy-HIPAA-Analysis.pdf .
For a summary of the health information technology provisions of the Stimulus Law, see the American Medical Association (AMA) publication at: www.ama-assn.org/ama1/pub/upload/mm/399/arra-hit-provisions.pdf 
For a summary of the privacy provisions of the Stimulus Law, see the of the AMA publication at: www.ama-assn.org/ama1/pub/upload/mm/399/arra-privacy-provisions.pdf 
Also see Part 14  of this guide.
The HHS may decide to investigate and/or try to resolve the issue informally. A person or organization that is obliged to follow the Privacy Rule may face a civil fine of up to $25,000, recently raised to a maximum of $50,000. In extreme cases, the U.S. Department of Justice
(DOJ) may be called in to conduct a criminal investigation. If the DOJ becomes involved, violators could face a jail term of up to 10 years and a fine of up to $250,000.
Privacy and data security go hand in hand. So far, this guide has looked at the HIPAA Privacy Rule, explaining what you can and cannot do to protect your sensitive medical files. Another regulation, also published by the Department of Health and Human Services, describes what "covered entities" must do to make sure your medical files are secure. The Security Rule took effect April 20, 2005, for larger entities, with a one year delay for health plans having annual receipts of $5 million or less.
Do I have a role in the HIPAA Security Rule?
Patients receive notice about privacy practices, but data security operates behind the scenes, out of your hands. Still the Security Rule is important to patients because, like the Privacy Rule, it creates a national standard. This means that all health care providers, health plans, and health care clearinghouses that transmit information electronically must adopt a data security plan.
Does the Security Rule protect all my health records?
Only health information maintained or transmitted in electronic format is covered by the Security Rule. Paper records stored in filing cabinets are not subject to the security standards imposed by the HHS.
What does the Security Rule require of covered entities?
The Security Rule, according to the HHS, was designed to be flexible, establishing a security framework for small practices as well as large institutions. All covered entities must have a written security plan. The HHS identifies three components as necessary for the security plan.
- Administrative safeguards
- Physical safeguards
- Technical safeguards.
Each of the three major categories has a number of subcategories. Some things must be included in the security plan while other factors are "addressable," that is items that may be considered and adopted if suitable to the covered entity's size and organization.
Is the Security Rule a "paper tiger?"
Given all the news about security breaches and unauthorized access to protected health information, it is easy to see why HIPAA’s Security Rule may be seen as inadequate. Even the HHS Inspector General issued a report on October 27, 2008, critical of the agency’s record of enforcing the Security Rule. To read the Inspector General’s Report, go to: http://oig.hhs.gov/oas/reports/region4/40705064.pdf 
In May 2011, the HHS Inspector General issued another report that found serious lapses in security for electronic health records. This report, based on an audit of seven hospitals, found that outsiders could, and in one case did, gain unauthorized access to personal health records. To read this report, go to: http://oig.hhs.gov/oas/reports/region4/40805069.pdf 
The HHS Inspector General also issued a report in May 2011 detailing the results of an audit of the HHS Office of National Coordinator (ONC), the office charged with overseeing the move toward a national health information infrastructure. ONC, the audit found, had not developed adequate standards and security control guidance necessary to safeguard personal health information in an electronic system.
To read this audit report, go to:
However, provisions in the 2009 Stimulus Law may soon bring stepped up enforcement of HIPAA’s privacy and security provisions. For example, state attorneys general are now authorized to file enforcement cases in federal district court. Penalties for violations have been substantially increased. And, periodic audits by HHS are now mandatory rather than discretionary as once was the case.
To learn more about the changes brought about by the 2009 Stimulus Law, see Part 14  of this guide.
Does the Security Rule address proper disposal of medical information?
Not directly. However, HHS has issued guidelines related to disposal. Although the guidelines do not require a certain disposal method, it is clear that casual disposal such as in a dumpster is a a HIPAA violation. In February 2009 HHS fined giant pharmacy chain CVS $2.25 million for failing to properly protect information through the disposal process.
- To read the HHS disposal guidelines, go to www.hhs.gov/ocr/privacy/hipaa/enforcement/examples/disposalfaqs.pdf .
- To read the HHS settlement with CVS Pharmacy, go to: www.hhs.gov/ocr/privacy/hipaa/enforcement/examples/cvsresolutionagreement.html .
Will I be notified about a security breach?
The Security Rule adopted in 2005 did not require notice. However, notice might nonetheless be required by state laws that apply generally to a variety of industries, including health care providers. California, for example, has had such a law in place since 2003. This means a HIPAA covered entity’s breach event that took place in California after 2003 could have triggered a notice even though notice was not required by the HIPAA Security Rule. And as of January 1, 2009, California residents have an absolute right to notice of a health information breach.
See below in this section for more on California’s recent health information privacy law.
For more on California's general security breach law, see the “Data Security Breach”  section in the web site of the California Attorney General's Privacy Enforcement and Protection Unit.
Federal law and regulations also now give you rights to notice of a breach of your health information. The Health Information Technology for Economic and Clinical Health (HITECH) Act requires HHS and the FTC to jointly study and to report on privacy and data security of personal health information. HITECH also requires the agencies to issue breach notification rules that apply to HIPAA covered entities and Web-based vendors that store health information electronically.The FTC has now adopted final rules regarding breach notification for Web-based vendors. And, HHS has adopted interim final rules for HIPAA "covered entities."
- To read the Department of Health and Human Services interim final rules on data breach by a HIPAA covered entity, see http://edocket.access.gpo.gov/2009/pdf/E9-20169.pdf  . 
- To read the FTC's final rule regarding data breach notice for PHR entities and web-based vendors, see: www.ftc.gov/os/2009/08/R911002hbn.pdf 
The HHS data breach rules apply to HIPAA “covered entities” as well as “business associates” of HIPAA covered entities. Under the HHS rules, notice is required when there is an unauthorized access or use of “unsecured” protected health information of more than 500 individuals. Unsecured information is that which is not rendered unusable, unreadable or indecipherable such as by encryption .
In the even of a breach, notice must be made to the individual affected, the HHS, and, in some situations, the news media. Notice is required within a “reasonable” time, or in no case more than 60 days unless law enforcement directs otherwise. For breaches involving fewer than 500 individuals, notice must be made annually to the HHS for posting on the agency’s Web site.
In cases where notice must be made to individuals, the provider must describe what happened, the kinds of information involved, what is being done about the problem, and contact information for questions, including a toll-free telephone number, an e-mail address, a Web site, or postal address.
The FTC data breach rule applies to a “PHR related entity” as well as “vendors” that offer and maintain personal health records. A PHR entity is one that:
- Offers products or services through the Web site of a vendor of personal health records.
- Offers products or services through the Web sites of HIPAA-covered entities that offer individuals PHRs.
- Accesses information in a personal health record.
- Sends information to a personal health record.
One example the FTC gives of a PHR entity would be an online weight tracking program that sends information to a personal health record or pulls information from it. Another example would be a HIPAA covered entity such as a hospital that offers its employees a PHR. The FTC rule applies only to PHR entities and vendors that are not covered by HIPAA. A PHR offered by a hospital to employees would not be covered by HIPAA.
To learn more about PHRs and PHR vendors, see PRC Alert Online Personal Health Records: Are They Healthy for Your Privacy?,www.privacyrights.org/ar/Alert-PersonalHealthRecords-090421.htm 
Generally, the FTC and HHS have harmonized their respective rules so that notice requirements are the same and a single incident will not trigger notice requirements by both agencies. Both agencies also call for compliance with the federal requirements when state data breach laws do not conform to the federal rules. HHS solicited additional comment on certain aspects of its interim final rule.
HHS and FTC data breach notice rules do, however, differ in one important respect. FTC rules assume a breach of security has occurred unless the affected vendor or PHR entity can show otherwise. To illustrate, the FTC gives the example of an unauthorized employee who inadvertently accesses an individual’s information and logs off without reading, using or disclosing the information. If this happens, the FTC says no breach has occurred and notice is not required. In the same situation, if the employee reads and then shares the information with someone else, a breach has occurred. (74 Federal Register 42966, August 25, 2009)
HHS rules, on the other hand, create a “harm” test, that is it is left to the covered entity to decide whether a breach has occurred. Under this scheme, a breach triggering the notice requirement only occurs if the unauthorized disclosure “poses a significant risk of financial, reputational, or other harm to the individual.” To determine the potential harm, the covered entity must perform a risk analysis. The HHS offers several examples of situations that would pose a risk and others that would not.
According to the HHS, inadvertent disclosure of information to another entity required to comply with HIPAA would not pose the same risk as disclosure to one that did not have a HIPAA privacy obligation. In another example, disclosure of only the name of hospital patients, although a violation of the HIPAA Privacy Rule, may not pose a significant risk of financial or reputational harm to the patient. But, the risk increases upon disclosure of the name plus the types of services the patient received or the name plus information that could lead to identity theft such as Social Security number, account number, or mother’s maiden name. (74 Federal Register 42744, 42745, August 24, 2009)
On October 23, 2009, the PRC submitted comments to the HHS urging the agency to reconsider its so-called "harm" standard and adopt final regulations similar to those adopted by the FTC.
To read the PRC's comments to HHS, go to: www.privacyrights.org/hhs-comments-breach-notification-unsecured-protected-health-information 
The FTC's final rules were effective September 24, 2009, and the HHS interim final rules were effective September 23, 2009, with both agencies expecting full compliance by February 22, 2010.
On July 28, 2010, HHS announced that before issuing final rules, the agency would further consider its experience in administering the interim final rule. To read the July 2010 announcement, go to:
HHS rules require covered entities to report a data breach that involved more than 500 individuals. The HHS website includes a list of such data breaches , which includes the company, number of consumers affected, and whether the records involved were in computer or paper format.
See the complete text of the HIPAA Security Rule at http://aspe.hhs.gov/admnsimp/FINAL/FR03-8334.pdf 
In addition, effective January 1, 2009, California law imposes new security standards for health information. Now both state officials and the individual concerned must be notified within five days of a breach of health care information. The new law applies not only to health care providers that are subject to HIPAA but also to such other health facilities as health clinics, home health agencies and hospices.
To learn more about California health privacy law, visit the web site the California Office of Health Information Integrity .
A number of other states have also adopted laws requiring a notice to individuals. To find out whether your state has such a law, visit the web site for the organization Patient Privacy Rights. http://patientprivacyrights.org/state-breach-notification-laws/ 
Is my health information stored in electronic format?
Almost certainly some, or at least major portions of your health information, is kept in electronic format. In fact, to be covered by HIPAA at all means that protected health information is transmitted electronically, usually between a healthcare provider and a health benefit plan.
Even small medical practices are moving away from paper records. If your provider is a Health Maintenance Organization (HMO) or you have had a hospital stay, your medical information is likely to be accessed through computers accessible to various departments throughout the facility. In addition, some employers have established an internal electronic network of health data.
Is there a national database of medical records?
Not yet. But, that is the plan. In 2004 President Bush issued an Executive Order that requires the Department of Health and Human Services (HHS) to study and develop a national health information network (NHIN). With a ten-year deadline, the task of overseeing the system has been left to a newly created HHS Office, The Office of the National Coordinator for Health Information Technology, http://healthit.hhs.gov/portal/server.p t 
In addition, the 2009 Stimulus Law signed by President Obama calls for a system of electonic health records by 2014. The bill allocates up to $19 billion to implement adoption of the system. For more on the 2009 Stimulus Law, see Part 14  of this guide.
While the NHIN is not likely to be a reality for some time, many state governments have appointed boards and task forces to study the issue. The first step will be a regional network, combining electronic health records from a number of unrelated sources. The next step will be to combine the regional networks to create a statewide network. Ultimately, the state systems will feed into the national network so that health records are available nationwideóeven worldwide. See, for example, the CalRHIO project, www.calrhio.org .
Does the move to electronic health records increase privacy and data security risks?
Given the highly sensitive nature of health information, privacy and security are always major concerns, even with paper records. Rising health care costs and the need to reduce medical errors have been widely cited in recent years as moving forces behind the need for a system of electronic health records.
However, HIPAA’s shortcomings and lack of clarity have fed the public’s concern about the potential risks to privacy associated with having the most personal data imaginable stored in electronic format. Add to this, the nearly constant barrage of news stories about health data being accessed by hackers, lost with laptop computers, or simply read by curious employees, and it is little wonder consumers are concerned about privacy.
To feel comfortable with an electronic format, consumers are concerned, and rightfully so, with such issues as:
- What information will be collected about me?
- Will my medical records from several providers be combined?
- Who will have access to this information?
- Will my employer be able to see these records?
- Will I know who has seen my electronic health record?
- Can I correct inaccurate information in my electronic health record?
To address these and other concerns, HHS has developed a series of fact sheets that incorporate privacy principles for electronic health records. To read the HHS privacy principles fact sheets, go to www.hhs.gov/ocr/privacy/hipaa/understanding/special/healthit/index.html .
Do EHRs have any uses or benefits other than to enhance patient treatment and payment functions?
Data from millions of electronic health reports have the potential for use in research to, for example, identify drug interactions or potentially life-threatening side effects of certain drugs in some patients. When used for such purposes patients’ identifying information would have to be removed. One such program administered by the federal Food and Drug Administration, the Mini-Sentinel Project , uses de-identified electronic health records from multiple sources to monitor the safety of FDA approved products.
Early on, cost savings were often cited as yet another benefit of moving toward an EHR system. However, a January 7, 2013 study released by the Rand Corporation , finds that promised cost savings have not been realized. This, they say, is because the systems in use are not interconnected and are not easy to use.
Is an electronic health record (EHR) the same as a personal health record (PHR)?
No. EHR refers to a system of electronically stored health records maintained by health care providers. PHR, on the other hand, refers to personal health records stored on web-based systems, often created and maintained by patients themselves. Some PHR systems are offered by health care providers such as hospitals. But, many commercial vendors also offer web-based PHR systems that allow individuals to store health care information.
For more on PHRs, see:
- Privacy Rights Clearinghouse alert, Online Personal Health Records: Are They Healthy for Your Privacy?www.privacyrights.org/ar/Alert-PersonalHealthRecords-090421.htm .
- The PRC alert, For a Complete Medical History, Compile Your Own Health Records but be Cautious about Storing Them Online, www.privacyrights.org/ar/keepmedfile.htm .
- HHS publication Personal Health Records and the HIPAA Privacy Rule, www.hhs.gov/ocr/privacy/hipaa/understanding/special/healthit/phrs.pdf .
If you followed the 2008 Presidential campaign, you know that the need for electronic health records was frequently mentioned as a national priority. Not surprising then, the Stimulus Law, signed by President Obama on February 17, 2009, includes a section on health information technology and privacy. The health-related provisions of the Stimulus Law are incorporated into the Health Information Technology for Economic and Clinical Health Act (the HITECH Act).
The law allots at least $19 billion to meet the goal of electronic health records for all Americans by 2014. It also calls for a number of changes to the federal medical privacy rule, commonly known as HIPAA. This federal rule is governed by the U.S. Department of Health and Human Services (HHS).
The law requires HHS to develop revised rules for, among other things, business associates, rights of patients to restrict disclosures, accounting of disclosures, and notice of a security breach. The PRC will update Fact Sheet 8a as information becomes available.
Following are some highlights of the legislation:
- Individuals must get notice of a data breach, by both web-based vendors that store medical data and HIPAA covered entities. The HHS interim final rules were effective on September 23, 2009, and the FTC's final rules became effective September 24, 2009. See Part 12 of this Guide.
- Individuals have a right to pay for services and restrict disclosure of health information.
- Sale of protected health information is prohibited.
- Business associates and others can be sued by federal or state authorities.
- Individuals, e.g. employees of a HIPAA covered entity, as well as companies are subject to civil and criminal penalties.
In addition, effective February 2010, state attorneys general have authority to bring an enforcement action for HIPAA violations. After giving notice to the Secretary of HHS, a state attorney general may file an action in federal district court. Connecticut was the first state to bring such an action. In that case a HIPAA "covered entity" was charged with a serious data breach after a computer disk drive, containing personal information of over 500 individuals, was stolen and the company failed to take appropriate actions. Connecticut authorities announced a settlement of this case on July 6, 2010.
For more on this lawsuit, see the Connecticut Attorney General's press release at: www.ct.gov/ag/cwp/view.asp?A=2341&Q=462754 
On July 14, 2010, HHS issued proposed rules to carry out numerous HITECH provisions. In particular, the proposed rules, among other things:
- Detail the civil penalties that might be imposed for various violations.
- Impose new standards for business associates and their subcontractors.
- Limit disclosures for marketing and fundraising.
- Prohibit the sale of protected health information.
To read the HHS proposal to modify the HITECH Privacy, Security, and Enforcement Rules, see: www.hhs.gov/ocr/privacy/hipaa/understanding/coveredentities/nprmhitech.pdf 
To read the PRC's comments regarding the proposed HITECH Privacy, Security, and Enforcement Rules, go to: www.privacyrights.org/privacy-security-rule-modification-comments 
On May 31, 2011, HHS issued proposed rules to address consumers’ rights to an accounting of disclosures. An accounting of disclosures generally relates to information disclosed to those outside the covered entity, such as disclosures for legal actions. Under the original HIPAA rule, accounting disclosures were available for the prior six years.
This proposal also addresses the HITECH provision that gives consumers the right to another report, called an access report, that lists those within an organization who have accessed the patient’s electronic records. Access reports required by HITECH are available for three years prior to the request. The HHS rule proposal regarding these reports limits the accounting report to three years.
To read the HHS rule proposal on accounting and access reports, see: www.federalregister.gov/articles/2011/05/31/2011-13297/hipaa-privacy-rule-accounting-of-disclosures-under-the-health-information-technology-for-economic 
To read the PRC's comments on the proposed accounting and access rules, go to: www.privacyrights.org/HIPAA-disclosures-under-HITECH 
For a summary, see Privacy and Information Policy Consultant Robert Gellman’s, Notes and Observations on Selected Parts of Title XIII, Subtitle D, Privacy, American Recovery and Reinvestment Act Of 2009, Public Law No: 111-5, February 24, 2009, available at: http://bobgellman.com/rg-docs/Stimulus-Privacy-HIPAA-Analysis.pdf 
Also see the analysis by the American Health Information Management Association at: www.ahima.org/downloads/pdfs/advocacy/AnalysisofARRAPrivacy-fin-3-2009a.pdf 
The Stimulus Law is officially called the American Recovery and Reinvestment Act of 2009 (Public Law 111-5). The privacy section of the Stimulus Law is Title XIII, captioned “Health Information Technology for Economic and Clinical Health Act,” or the HITECH Act, and Subtitle D of Title XIII, captioned “Privacy.” The full text of Public Law 111-5 can be found at: http://www.whitehouse.gov/assets/documents/Public_Law-111-5.pdf 
As of January 1, 2009, privacy and security standards reached a new level for California residents. Two laws (AB 211 and SB 541) which were signed by the Governor in September of 2008 combine to give Californians rights that significantly exceed those granted by HIPAA.
The California law imposes privacy and security standards on not only HIPAA “covered entities,” but a range of others defined as “health facilities.” This includes such organizations as:
- Home health agencies.
- Mobile health care units.
- Acute psychiatric hospitals.
- Intermediate care facilities.
For an extensive list of health providers and health facilities obligated to protect health information under the new California law, see Frequently Asked Questions  (FAQ) on the web site of the California Office of Health Information Integrity (CALOHI),
Besides covering health providers not subject to HIPAA, the California law goes beyond HIPAA in other significant ways. For example:
- Individuals have a private cause of actions for violations.
- It is a misdemeanor to unlawfully access, use or disclose protected information.
- Disclosures for the purpose of financial gain can bring a fine of up to $250,000.
- Health care providers and health facilities must report violations to the California Department of Public Health and to the patient within five days after an incident. This means, among other things, that patients are entitled to a notice of unauthorized access or use of health information.
- Fundraising is not allowed without an individual’s consent. This is in contrast to HIPAA which allows for fundraising as a healthcare operations function.
Where do I go to learn more about a violation of California law?
CalOHI's website includes a section entitled Medical Privacy Enforcement , which explains privacy violations in California and compares the state law to violations in federal law. This section also provides guidance on the proper California agency to contact to complain about violations.
In addition to complaining to CALOHI, you may also want to consult with an attorney since you now have a specific right to sue under California law.
In reading this guide about the HIPAA Privacy Rule, you may have rightly concluded that your ability to control the flow of your sensitive medical information is limited. Still, the more you know, the better able you are to maximize the privacy you have left.
- Educate yourself and find out as much as you can about the privacy practices of your health care provider and health plan. Read notices and ask questions if you don't understand.
- Talk to your provider about your confidentiality concerns. Ask how the provider shares patient data within the office and with affiliates.
- Remember, you are not just a patient but also a consumer of health care. Like any consumer, you can shop for the best privacy deal around. Also, be aware that, as a consumer, you can become a debtor. Unpaid medical bills can be referred to a collection agency or end up as a negative entry on your credit report. The insurance payment process can be complicated and confusing. Be sure to stay on top of your medical bills and dispute matters in writing with both the health provider and insurance company when you think errors have been made. Attempt to resolve disputes before bills are referred to a collection agency and/or the credit bureaus.
- Read authorizations carefully. Make your choices about restrictions on authorizations known, and refuse to sign any you are not comfortable with. Keep in mind, authorization forms may ask for your permission to disclose your health information for multiple purposes. One type of authorization is the use of your medical data for marketing. You may withdraw your authorization if you later decide you made the wrong choice.
Because HIPAA authorizes so many different types of disclosures without patient approval, you should be suspicious anytime that someone asks you to sign an authorization form for disclosure of health information. Make sure that the authorization is for your benefit and not someone else's.
- Exercise your right to obtain a copy of your medical records . Make sure information is accurate. Request that incorrect information be corrected or amended. Keep in mind, your health care provider has the final word on changes and amendments to health records. See the sample letter for requesting a copy of your medical records, www.privacyrights.org/Letters/medical2.htm 
- Keep a personal health record. This may include copies of your medical files and other information related to your health such as diet and exercise programs. For more on keeping a personal health file, see the PRC's Alert www.privacyrights.org/ar/keepmedfile.htm  and the American Health Information Management Association resources on personal health files. www.myphr.com/resources/faqs.aspx 
- Request that communications be made in a way that you choose. For example, you can request that you be called at your cellular telephone number rather than home phone, or that mailings be sent to your P.O. Box rather than your residential address.
- Complain if you feel your rights have been violated or your concerns have been ignored. You can file a complaint with both the provider and the HHS Office of Civil Rights. Many problems can be resolved by going directly to the health care provider before you contact DHHS.
- Contact your representatives in Congress and in your state legislature if you feel stronger laws to protect your medical privacy are needed.
- A final word about complaints: Registering your complaint with your health care provider, the Office of Civil Rights, and your legislative representatives might not result in immediate change. But by complaining, you are educating others about situations that you feel violate your privacy. You are also alerting lawmakers about deficiencies in health privacy law. You are not likely to see changes overnight, but if enough people communicate their dissatisfaction, we might see improvements in the future.
See PRC Fact Sheet 8 for additional medical privacy protection tips outside the HIPAA arena, www.privacyrights.org/fs/fs8-med.htm .
Filing Complaints under HIPAA
U.S. Department of Health and Human Services (HHS)
Office of Civil Rights
200 Independence Avenue, S.W.
Washington, D.C., 20201
For the regional office nearest you,
Or email: OCRComplaint@hhs.gov 
State Laws and Health Privacy
- State laws on access to medical records: Georgetown University Center on Medical Record Rights and Privacy,
- National Association of Insurance Commissioners (NAIC) - State HIPAA contacts
- State Medical Boards
- California Office of Health Information Integrity, http://www.ohii.ca.gov/calohi/Home.aspx 
- California Attorney General's Privacy Enforcement and Protection Unit, Medical Privacy Section 
The Patient as Consumer - Credit and Collection Laws
- Fair Debt Collection Practices Act
- Fair Credit Reporting Act
- Disputing credit report errors
- Insurers and credit reports
- Privacy Rights Clearinghouse Fact Sheet 6, "How Private is my Credit Report,"
- Privacy Rights Clearinghouse Fact Sheet 27, Debt Collection Practices: When Hardball Tactics Go Too Far, www.privacyrights.org/fs/fs27-debtcoll.htm 
- www.privacyrights.org/Letters/medical2.htm 
World Privacy Forum
- Patient’s Guide to HIPAA: How to Use the Law to Guard Your Health Privacy, prepared by Robert Gellman for World Privacy Forum, www.worldprivacyforum.org/hipaa/index.html 
- Genetics privacy page, www.worldprivacyforum.org/geneticprivacy.html 
Patient Privacy Rights
- Web: www.patientprivacyrights.org 
American Health Information Managerment Association (AHIMA)
- Personal Health Information FAQs, www.myphr.com/resources/faqs.aspx 
- Privacy, Security and Confidentiality Resouces, www.ahima.org/resources/psc.aspx 
U.S. Department of Health and Human Services (HHS) web site on HIPAA
- The HHS HIPAA page, www.hhs.gov/ocr/privacy/index.html .
- HIPAA frequently asked questions (FAQ), www.hhs.gov/ocr/privacy/hipaa/faq/index.html 
Council for Responsible Genetics
We acknowledge the assistance of privacy consultant Robert Gellman <www.bobgellman.com > in the preparation of this guide.